Fallout from Failing to Conduct a HIPAA Risk Analysis

There are many reasons a healthcare entity dealing with protected health information (“PHI”) should conduct a risk analysis. First and foremost, if conducted properly, a risk analysis should identify PHI-containing systems, assess vulnerabilities of those systems, evaluate and prioritize risks to those systems, and assist in developing mitigation strategies to safeguard the systems. These on-going efforts can help ensure adequate protection of patients’ health information.

Second, conducting a risk analysis has been required by HIPAA since issuance of the Security Rule. While many healthcare entities did not take this requirement seriously, the passage of the HITECH Act in 2009 increased penalties and enforcement under HIPAA. Based on enforcement data over the past few years, it is clear that the Office for Civil Rights (“OCR”), the arm of the U.S. Department of Health and Human Services (“HHS”) with enforcement authority under HIPAA, is taking this issue seriously by imposing severe civil monetary penalties on healthcare entities of all shapes and sizes. In short, OCR’s position is that failing to conduct a HIPAA risk analysis is unreasonable. The Office has issued guidance on conduct a risk analysis here.

Third, conducting a HIPAA risk analysis is an important process to help healthcare entities understand their security posture in order to prevent data breaches. Data breaches are a common occurrence largely because healthcare entities are rushing to digitize PHI and adopt a cornucopia of health information technologies to improve efficiencies, reduce costs, and improve outcomes in the healthcare system. Conducting a risk analysis can prevent the financial and reputational fallout that occurs from losing patient data.

Fourth, HITECH also created another incentive to conduct a risk analysis: the Electronic Health Record (“EHR”) Incentive Payment program. To qualify for payments under this program, healthcare providers need to attest to being meaningful users of EHRs. Part of that attestation under Stage 1 was that an entity conducts a risk analysis. Over $12.7 billion dollars have been paid to approximately 240,000 providers thus far. Due to amount spent to date, the Federal government is now questioning program integrity and seeking to recoup payments from entities if they have falsely attested. The Centers for Medicare and Medicare (“CMS”) has authority to conduct audits, which it began in 2012. Thus, any entity that has not conducted a risk analysis, but has received payments under the EHR Incentive Payment program, is at risk of losing those payments.

Fifth, receiving EHR incentive payments without conducting a risk assessment may result in liability under the False Claims Act. The HHS Office of Inspector General (“OIG”) has become equally wary of fraud and abuse relative to false attestations. Accordingly, OIG has made this a top priority for 2013, and will likely start to open investigations against alleged false attesters. This may become a real pain point for healthcare entities because liability can be up to three times the amount of the EHR incentive payment and can lead to exclusions from Medicare or Medicaid.